CMS Should Take Steps to Mitigate Program Risks in Managed Care
GAO-18-291: Published: May 7, 2018. Publicly Released: Jun 6, 2018.
- Highlights Page:
- Full Report:
- Accessible Version:
Medicaid paid $171 billion—about half its total 2017 federal expenditures—to managed care organizations. The Centers for Medicare & Medicaid Services estimated that about 0.3% of that amount were improper payments.
For the entire Medicaid program, CMS estimated about 10% of payments were improper, which led us to question the managed care rate.
We examined state and federal reviews of managed care and the estimating method. We found that the estimation does not fully account for key risks such as overpayments and unallowable costs.
We recommended that CMS take steps to mitigate such risks.
Photo showing a person signing a form in front of a medical provider in a white coat
- Highlights Page:
- Full Report:
- Accessible Version:
What GAO Found
The Centers for Medicare & Medicaid Services' (CMS) estimate of improper payments for Medicaid managed care has limitations that are not mitigated by the agency's and states' current oversight efforts. One component of the Payment Error Rate Measurement (PERM) measures the accuracy of capitated payments, which are periodic payments that state Medicaid agencies make to managed care organizations (MCO) to provide services to enrollees and to cover other allowable costs, such as administrative expenses. However, the managed care component of the PERM neither includes a medical review of services delivered to enrollees, nor reviews of MCO records or data. Further, GAO's review of the 27 federal and state audits and investigations identified key program risks.
Ten of the 27 federal and state audits and investigations identified about $68 million in overpayments and unallowable MCO costs that were not accounted for by PERM estimates; another of these investigations resulted in a $137.5 million settlement.
These audits and investigations were conducted over more than 5 years and involved a small fraction of the more than 270 MCOs operating nationwide as of September 2017.
To the extent that overpayments and unallowable costs are unidentified and not removed from the cost data used to set capitation rates, they may allow inflated MCO payments and minimize the appearance of program risks in Medicaid managed care.
CMS and states have taken steps to improve oversight of Medicaid managed care through updated regulations, focused reviews of states' managed care programs, and federal program integrity contractors' audits of managed care services.
However, some of these efforts went into effect only recently, and others are unlikely to address the risks in managed care across all states.
Furthermore, these efforts do not ensure the identification and reporting of overpayments to providers and unallowable costs by MCOs.
Federal internal control standards call for agency management to identify and respond to risks. Without addressing key risks, such as the extent of overpayments and unallowable costs, CMS cannot be certain that its estimated improper payment rate for managed care (0.3 percent compared with 12.9 percent in Medicaid fee-for-service) accurately reflects program risks.
Why GAO Did This Study
The improper payment rate is a sentinel measure of program integrity risks for the Medicaid program. CMS and the states oversee Medicaid, whose size, structure, and diversity make it vulnerable to improper payments. CMS estimates the Medicaid improper payment rate annually through its PERM, which includes an estimate for Medicaid managed care, in which states contract with MCOs to provide services to Medicaid enrollees.
GAO was asked to study the PERM methodology for managed care. In this report, GAO examined the extent to which the PERM accounts for program integrity risks in Medicaid managed care, including CMS's and states' oversight. GAO identified program integrity risks reported in 27 federal and state audits and investigations issued between January 2012 and September 2017; reviewed federal regulations and guidance on the PERM and CMS's Focused Program Integrity Reviews; and contacted program integrity officials in the 16 states with a majority of 2016 Medicaid spending for managed care, as well as CMS officials and program integrity experts.
What GAO Recommends
The Administrator of CMS should consider and take steps to mitigate the program risks that are not measured in the PERM, such as overpayments and unallowable costs; such an effort could include actions such as revising the PERM methodology or focusing additional audit resources on managed care. HHS concurred with this recommendation. HHS also provided technical comments, which were incorporated as appropriate.
For more information, contact Carolyn L. Yocom at (202) 512-7114 or firstname.lastname@example.org.
Recommendation for Executive Action
Comments: CMS concurred with this recommendation. In October 2018, it reported that it was developing a corrective action plan to address the recommendation. CMS also reported that it has published several guidance documents and is in the process of finalizing others. In addition, it reported that it continues to develop educational strategies (such as a recent course managed care offered by CMS' Medicaid Integrity Institute) and oversight and audit strategies and mechanisms related to managed care. CMS communicated that it initiated 32 audits involving Medicaid managed care network providers in 6 states and an audit of a managed care plan in another state in FY 2018. For FY 2019, CMS stated that it will be establishing a medical loss ratio examination process and initiating such audits of managed care organizations in California. CMS also stated that it will be developing guidance for states and managed care plans on managed care delivery and oversight to develop program integrity capacity and reduce program risks. We will continue to monitor CMS's progress to take steps to mitigate the managed care program risks not measured in the PERM.
Recommendation: The Administrator of CMS should consider and take steps to mitigate the program risks that are not measured in the PERM, such as overpayments and unallowable costs; such an effort could include actions such as revising the PERM methodology or focusing additional audit resources on managed care. (Recommendation 1)
Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services